graphql-engine/server/src-lib/Hasura/Server/Middleware.hs

module Hasura.Server.Middleware where

import           Data.Maybe            (fromMaybe)
import           Network.Wai

import           Control.Applicative
import           Hasura.Prelude
import           Hasura.Server.Cors
import           Hasura.Server.Logging (getRequestHeader)
import           Hasura.Server.Utils

import qualified Data.ByteString       as B
import qualified Data.CaseInsensitive  as CI
import qualified Data.Text.Encoding    as TE
import qualified Network.HTTP.Types    as H


corsMiddleware :: CorsPolicy -> Middleware
corsMiddleware policy app req sendResp =
  maybe (app req sendResp) handleCors $ getRequestHeader "Origin" req

  where
    handleCors origin = case cpConfig policy of
      CCDisabled _ -> app req sendResp
      CCAllowAll   -> sendCors origin
      CCAllowedOrigins ds
        -- if the origin is in our cors domains, send cors headers
        | bsToTxt origin `elem` dmFqdns ds   -> sendCors origin
        -- if current origin is part of wildcard domain list, send cors
        | inWildcardList ds (bsToTxt origin) -> sendCors origin
        -- otherwise don't send cors headers
        | otherwise                          -> app req sendResp

    sendCors :: B.ByteString -> IO ResponseReceived
    sendCors origin =
      case requestMethod req of
        "OPTIONS" -> sendResp $ respondPreFlight origin
        _         -> app req $ sendResp . injectCorsHeaders origin

    respondPreFlight :: B.ByteString -> Response
    respondPreFlight origin =
      setHeaders (mkPreFlightHeaders requestedHeaders)
        $ injectCorsHeaders origin emptyResponse

    emptyResponse = responseLBS H.status204 [] ""
    requestedHeaders =
      fromMaybe "" $ getRequestHeader "Access-Control-Request-Headers" req

    injectCorsHeaders :: B.ByteString -> Response -> Response
    injectCorsHeaders origin = setHeaders (mkCorsHeaders origin)

    mkPreFlightHeaders allowReqHdrs =
      [ ("Access-Control-Max-Age", "1728000")
      , ("Access-Control-Allow-Headers", allowReqHdrs)
      , ("Content-Length", "0")
      , ("Content-Type", "text/plain charset=UTF-8")
      ]

    mkCorsHeaders origin =
      [ ("Access-Control-Allow-Origin", origin)
      , ("Access-Control-Allow-Credentials", "true")
      , ("Access-Control-Allow-Methods",
         B.intercalate "," $ TE.encodeUtf8 <$> cpMethods policy)
      ]

    setHeaders hdrs = mapResponseHeaders (\h -> mkRespHdrs hdrs ++ h)
    mkRespHdrs = map (\(k,v) -> (CI.mk k, v))
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`module Hasura.Server.Middleware where`

			`import Data.Maybe (fromMaybe)`
			`import Network.Wai`

add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`import Control.Applicative`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`import Hasura.Prelude`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`import Hasura.Server.Cors`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00			`import Hasura.Server.Logging (getRequestHeader)`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`import Hasura.Server.Utils`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00
			`import qualified Data.ByteString as B`
			`import qualified Data.CaseInsensitive as CI`
			`import qualified Data.Text.Encoding as TE`
			`import qualified Network.HTTP.Types as H`


			`corsMiddleware :: CorsPolicy -> Middleware`
			`corsMiddleware policy app req sendResp =`
			`maybe (app req sendResp) handleCors $ getRequestHeader "Origin" req`

			`where`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`handleCors origin = case cpConfig policy of`
read cookie while initialising websocket connection (fix #1660) (#1668) * read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook 2019-03-04 10:46:53 +03:00			`CCDisabled _ -> app req sendResp`
			`CCAllowAll -> sendCors origin`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`CCAllowedOrigins ds`
			`-- if the origin is in our cors domains, send cors headers`
			\| bsToTxt origin `elem` dmFqdns ds -> sendCors origin
			`-- if current origin is part of wildcard domain list, send cors`
			`\| inWildcardList ds (bsToTxt origin) -> sendCors origin`
			`-- otherwise don't send cors headers`
			`\| otherwise -> app req sendResp`

			`sendCors :: B.ByteString -> IO ResponseReceived`
			`sendCors origin =`
			`case requestMethod req of`
			`"OPTIONS" -> sendResp $ respondPreFlight origin`
			`_ -> app req $ sendResp . injectCorsHeaders origin`
move raven into graphql-engine repo 2018-06-27 16:11:32 +03:00
			`respondPreFlight :: B.ByteString -> Response`
			`respondPreFlight origin =`
			`setHeaders (mkPreFlightHeaders requestedHeaders)`
			`$ injectCorsHeaders origin emptyResponse`

			`emptyResponse = responseLBS H.status204 [] ""`
			`requestedHeaders =`
			`fromMaybe "" $ getRequestHeader "Access-Control-Request-Headers" req`

			`injectCorsHeaders :: B.ByteString -> Response -> Response`
			`injectCorsHeaders origin = setHeaders (mkCorsHeaders origin)`

			`mkPreFlightHeaders allowReqHdrs =`
			`[ ("Access-Control-Max-Age", "1728000")`
			`, ("Access-Control-Allow-Headers", allowReqHdrs)`
			`, ("Content-Length", "0")`
			`, ("Content-Type", "text/plain charset=UTF-8")`
			`]`

			`mkCorsHeaders origin =`
			`[ ("Access-Control-Allow-Origin", origin)`
			`, ("Access-Control-Allow-Credentials", "true")`
			`, ("Access-Control-Allow-Methods",`
			`B.intercalate "," $ TE.encodeUtf8 <$> cpMethods policy)`
			`]`

			`setHeaders hdrs = mapResponseHeaders (\h -> mkRespHdrs hdrs ++ h)`
			`mkRespHdrs = map (\(k,v) -> (CI.mk k, v))`